Network Security (8)

Question 1

Which of the following is the term for a network segment that is separated from the internal network by a firewall and exposed to the Internet?

AES

DMZ

VLAN

Answer 1

DMZ

A network segment that is separated from the internal network by a firewall and exposed to the Internet is called a demilitarized zone (DMZ), or a perimeter network. Administrators typically use a DMZ for servers that must be accessible by outside users, such as web and email servers. Advanced Encryption Standard (AES) is an encryption algorithm. A honeynet is a network designed to entice attackers that provides no meaningful access to sensitive information. A virtual LAN (VLAN) is a network created within a switch

Question 2

Which of the following best describes the process of penetration testing?

Administrators attempt to access the network from outside using hacker tools.

An organization hires an outside consultant to evaluate the security conditions on the network.

An organization hires an outside consultant who attempts to compromise the network’s security measures.

Answer 2

An organization hires an outside consultant who attempts to compromise the network’s security measures.

Penetration testing is when an outside consultant is engaged to attempt an unauthorized access to protected network resources. Testing by an internal administrator familiar with the security barriers would not be a valid test. While having a consultant examine the network’s security from within can be useful, this is not a penetration test. Computers or networks that are alluring targets for intruders are called honeypots or honeynets

Question 3

Which of the following are the default administrative user accounts found in Windows and Linux operating systems? (Choose all correct answers.)

Administrator

root

admin

Control

Answer 3

Administrator

root

Administrator is the default administrative user account in Windows, and root is the administrative account in Linux. Control and admin are not privileged user accounts provided with the operating systems

Question 4

Which of the following are network segmentation methods that can prevent intruders from gaining full access to a network? (Choose all correct answers.)

ACL

VLAN

NAC

DMZ

Answer 4

VLAN

DMZ

Virtual LANs can be used to isolate systems on a separate network segment. A demilitarized zone (DMZ), also called a perimeter network, is a network segment accessible from the Internet and separated from the internal network by a firewall. Both of these are methods for isolating systems to prevent security breaches from spreading beyond their bounds. Access control lists (ACLs) and Network Access Control (NAC) are both methods for enhancing network security, but they are not segmentation methods

Question 5

Which of the following types of mitigation techniques is not applicable to servers?

Role separation

File integrity monitoring

DHCP snooping

Answer 5

DHCP snooping

DHCP snooping is a feature found in some network switches that prevents rogue DHCP servers from assigning IP addresses to clients. It can also detect when DHCP release or decline messages arrive over a port other than the one on which the DHCP transaction originated. The other options are all techniques that are applicable to servers

Question 6

On a wireless access point that uses an access control list (ACL) to specify which devices are permitted to connect to the network, which of the following is used to identify the authorized devices?

IP addresses

Device names

MAC addresses

Answer 6

MAC addresses

Wireless access points use the layer 2 MAC addresses coded into devices in their access control lists. Usernames, IP addresses, and device names can easily be impersonated

Question 7

Which of the following network devices does not employ an access control lists to restrict access?

Routers

Hubs

Switches

Answer 7

Hubs

ACLs restrict access to network devices by filtering usernames, MAC addresses, IP addresses, or other criteria. Routers, switches, and wireless access points all use ACLs to control access to them. Hubs are purely physical layer devices that relay electrical or optical signals. They have no way of controlling access to them

Question 8

Which of the following services are provided by access control lists (ACLs)?

Authentication

Authorization

Accounting

Answer 8

Authorization

ACLs define the type of access granted to authenticated users. This process is known as authorization. Authentication is the confirmation of a user’s identity. Accounting and auditing are both methods of tracking and recording a user’s activities on a network

Question 9

Which of the following terms describes the threat mitigation technique of deploying individual applications and services on virtual servers so that no more than one is endangered at any one time, rather than deploying multiple applications on a single server?

Geofencing

Network segmentation

Role separation

Answer 9

Role separation

Role separation is the practice of creating a different virtual server for each server role or application. In addition to providing other benefits as well, this forces intruders to mount attacks on multiple servers to disable an entire network. Geofencing is a technique for limiting access to a wireless network. Network segmentation describes the process of creating multiple VLANs or deploying firewalls to isolate part of a network. VLAN hopping is a type of attack in which an intruder sends command messages to a switch to transfer a port from one VLAN to another

Question 10

Role separation is a threat mitigation technique that is applied to which of the following types of network components?

Switches

Servers

Routers

Answer 10

Servers

Role separation is the practice of creating a different virtual server for each server role or application. In addition to providing other benefits as well, this forces intruders to mount attacks on multiple servers to disable an entire network. Switches, routers, and access points do not use this technique

Question 11

Which of the following statements about DHCP snooping is not true?

DHCP snooping detects rogue DHCP servers.

DHCP snooping is implemented in network switches.

DHCP snooping prevents DNS cache poisoning.

Answer 11

DHCP snooping prevents DNS cache poisoning.

DHCP snooping is a feature found in some network switches that prevents rogue DHCP servers from assigning IP addresses to clients. It can also detect when DHCP release or decline messages arrive over a port other than the one on which the DHCP transaction originated. Although DHCP snooping can prevent DHCP clients from being assigned an incorrect IP address, it does not directly prevent the poisoning of DNS server caches with erroneous information

Question 12

At which layer of the OSI reference model does DHCP snooping operate?

Data link

Network

Transport

Answer 12

Data link

Although DHCP is an application layer service, which uses the UDP transport layer protocol to assign network layer IP addresses, DHCP snooping is a data link layer process in which a network switch examines incoming DHCP traffic to determine whether it originates from an authorized server and is arriving over the correct port

Question 13

Which of the following types of server attacks is a flood guard designed to prevent?

Evil twin

Denial of service

DNS poisoning

Answer 13

Denial of service

One of the most common ways to stop a server from functioning properly is to flood it with traffic of a particular type. Denial-of-service attacks frequently use floods of ping messages or TCP SYN packets to attack a server. A flood guard is a filter implemented in a firewall or a standalone device to prevent the flood of traffic from reaching the intended target. A flood guard cannot prevent an evil twin attack, which is a rogue wireless access point, DNS poisoning, which is the insertion of incorrect resource records into a DNS server cache; or war driving, which the process of searching for unprotected wireless networks

Question 14

Which of the following types of attacks on a network switch can a flood guard help to prevent?

DNS poisoning

War driving

MAC flooding

Answer 14

MAC flooding

By flooding a switch with frames containing many different false MAC addresses, an attacker can cause the legitimate entries in the switch’s MAC table to be aged out of the device and replaced with bogus entries. When the destinations of incoming frames are not found in the table, the switch broadcasts them throughout the network, where they can be more readily captured and compromised. A flood guard is a mechanism that prevents confirmed MAC address in the table from being replaced. A flood guard in a switch cannot protect against DNS poisoning, war driving, or evil twin attacks

Question 15

Which of the following protocols is a root guard designed to affect?

EAP

STP

LDAP

Answer 15

STP

A root guard affects the behavior of the Spanning Tree Protocol (STP) by enforcing the selection of root bridge ports on a switched network. Without root guards, there is no way for administrators to enforce the topology of a network with a redundant switching fabric. Root guards do not affect the Extensible Authentication Protocol (EAP), the Lightweight Directory Access Protocol (LDAP), or the Address Resolution Protocol (ARP)

Question 16

Which of the following features helps to protect network switches from attacks related to the Spanning Tree Protocol (STP)? (Choose all correct answers.)

BPDU guard

Root guard

DHCP snooping

Geofencing

Answer 16

BPDU guard

Root guard

Bridging Protocol Data Units (BPDUs) are messages that switches running the Spanning Tree Protocol exchange to learn about the available paths through a switched network and the states of other switches. Switches should only receive BPDUs through ports that are connected to other switches. BPDU guard is a feature that prevents BPDU messages from arriving through ports connected to end systems, such as computers, thus preventing an attacker from manipulating the STP topology. A root guard affects the behavior of the Spanning Tree Protocol (STP) by enforcing the selection of root bridge ports on a switched network. Without root guards, there is no way for administrators to enforce the topology of a network with a redundant switching fabric

Question 17

Which of the following modifications occur when you configure the native VLAN on your network switches to use 802.1q tagging? (Choose all correct answers.)

Double-tagged packets are prevented.

BPDU guards are applied.

Root guards are applied.

Answer 17

Double-tagged packets are prevented.

To join ports on different switches into one VLAN, you designate a trunk port on each switch for the traffic between switches. Initially, the native VLAN uses the default VLAN1 for trunk traffic, and that traffic is left untagged. Untagged traffic is susceptible to attacks using double-tagged packets. When you configure the native VLAN to use tagging, this makes it impervious to double-tagging. Changing the native VLAN does not create root guards or BPDU guards, and all traffic continues to be switched, not routed

Question 18

Which of the following protocols is responsible for inserting the tags into frames that enable switches to forward them to the appropriate VLAN?

IEEE 802.3x

IEEE 802.1X

IEEE 802.1q

Answer 18

IEEE 802.1q

The IEEE 802.1q protocol is responsible for VLAN tagging, a procedure that enables network switches to support virtual LANs (VLANs). Through the insertion of VLAN identifier tags into frames, switches can determine which VLAN each packet is destined for and forward it to the correct ports. IEEE 802.3x is one of the standards for wired Ethernet networks. IEEE 802.1X is a standard that defines a port-based network access control mechanism used for authentication on wireless and other networks. IEEE 802.11ac is a standard defining the physical and data link layer protocols for wireless networks

Question 19

Which of the following best explains how tagging the native VLAN traffic can improve in-band switch management security?

By renaming the default VLAN

By preventing double-tagged packets

By encrypting in-band management traffic

Answer 19

By preventing double-tagged packets

When in-band switch management traffic, such as that generated by a Secure Shell (SSH) connection to a switch, uses the native VLAN, it is untagged by default. This is because the native VLAN is at first the default VLAN1, which is not tagged by the 802.1q protocol, leaving it open to certain types of double-tagging attacks. When you tag the native VLAN traffic, it is rendered immune to double-tagging. The default VLAN cannot be renamed, and SSH traffic is already encrypted by the sending workstation. Changing the native VLAN does not move the management traffic off that VLAN, although many authorities advocate the creation of a separate VLAN dedicated to in-band management traffic

Question 20

Which of the following mitigation techniques helps organizations maintain compliance to standards such as HIPAA and FISMA?

File integrity monitoring

Role separation

Deauthentication

Answer 20

File integrity monitoring

File integrity monitoring (FIM) is a process that typically consists of a comparison of files in their current state to a known baseline copy stored elsewhere. The comparison can be direct, or it could involve the calculation of checksums or other types of file hashes. The object of the comparison is to detect changes in documents, both in content and in sensitive areas, such as credentials, privileges, and security settings, which might indicate the presence of a potential or actual security breach. Role separation applies to the deployment of applications on servers. Deauthentication is a type of wireless network attack. Tamper detection is a term used to describe a physical security measure for hardware

Question 21

Which of the following functions cannot be implemented using digital signatures?

Integrity

Nonrepudiation

Segmentation

Answer 21

Segmentation

Digital signatures can be used for the following functions: authentication, to confirm that data originated from a specific individual; nonrepudiation, to prevent the sender from denying the data’s origin; and integrity, to confirm that the data has not been modified in transit. Segmentation is not a function of digital signatures

Question 22

When Ralph digitally signs and encrypts a document with his private key, Alice can decrypt the document only by using Ralph’s public key. As long as the private key is accepted to be secure, which of the following statements are true? (Choose all correct answers.)

Ralph cannot deny having created the document.

No one has altered the document since Ralph sent it.

No one but Ralph can have created the document.

No one but Alice can decrypt and read the document.

Answer 22

Ralph cannot deny having created the document.

No one has altered the document since Ralph sent it.

No one but Ralph can have created the document.

Because only Ralph possesses the private key, only he could have signed and encrypted it. Although it is possible for someone other than Alice to have decrypted the document while it was in transit, using Ralph’s public key, that individual could not have modified it and encrypted it again

Question 23

When Alice digitally signs and encrypts a document with Ralph’s public key, Ralph can decrypt the document only by using his private key. As long as the private key is accepted to be secure, which of the following statements are true? (Choose all correct answers.)

Alice cannot deny having created the document.

No one has altered the document since Alice sent it.

No one but Alice can have created the document.

No one but Ralph can decrypt and read the document.

Answer 23

No one has altered the document since Alice sent it.

No one but Ralph can decrypt and read the document.

Because anyone can obtain Ralph’s public key, the document can have been created, signed, and encrypted by anyone. However, because only Ralph possesses the private key that can decrypt the document, he can be sure that no one has modified it in transit

Question 24

Which of the following types of servers are typically found in a DMZ? (Choose all correct answers.)

Domain controllers

DHCP servers

Email servers

Web servers

Answer 24

Email servers

Web servers

A network segment that is separated from the internal network by a firewall and exposed to the Internet is called a demilitarized zone (DMZ) or a perimeter network. Administrators typically use a DMZ for servers that must be accessible by outside users, such as web and email servers. For security reasons, domain controllers and DHCP servers should be located on internal network segments

Question 25

Which of the following are elements you can use to segment a network? (Choose all correct answers.)

RADIUS

DMZ

VLAN

LDAP

Answer 25

DMZ

VLAN

A network segment that is separated from the internal network by a firewall and exposed to the Internet is called a demilitarized zone (DMZ) or a perimeter network. Administrators typically use a DMZ for servers that must be accessible by outside users, such as web and email servers. A virtual LAN (VLAN) is a logical network segment created within network switches. VLANs divide a switched fabric into network segments that function just like physical segments. RADIUS is an authentication, authorization, and accounting service, and LDAP is a directory services protocol; neither one is capable of segmenting networks